RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
This article explains how to create a RADIUS monitoring account that attempts to log into the RADIUS server.
On the RSA Authentication Manager server
- Login to the Security Console of your primary server.
- Create a new user (Identity > Users > Add New), being sure to ad all required information. When done, click Save.
- Using the Search Criteria options on the left, search for the new user.
- Click on the context arrow next to the user ID and choose Authentication Settings.
- Check the option to Allow authentication with a fixed passcode.
- Enter and confirm the fixed passcode. For example, 87654321.
- Click Save when done.
- Be sure to login to the Self-Service Console at least once with the new user ID and fixed passcode because you will be asked to change the fixed passcode.
- When prompted, change the fixed passcode to something else (for example, 12345678).
- Use the newly updated fixed passcode with the monitoring account.
There is no need to assign a token to your monitoring user as long as you are using a fixed passcode. You don’t want to waste a token on a user just for monitoring.
On the Citrix NetScaler
- In the NetScaler Configuration Utility, on the left under Traffic Management > Load Balancing, click Monitors. On the right, click Add.
- Provide a name for the monitor.
- Change the Type listed in the drop-down to RADIUS.
- On the Standard Parameters tab, you might have to increase the Response Time-out to 4.
- On the Special Parameters tab, enter valid RADIUS credentials:
- In the User Name field, type the user ID of the user created in the Security Console.
- In the Password field, enter the fixed passcode which was set in the Self-Service Console.
- In the Radius Key Field, enter the shared secret configured on RSA Authentication Manager server and Citrix NetScaler:
- On the left, expand Traffic Management, expand Load Balancing, and click Service Groups then choose the created service group for RSA RADIUS.
- On the right, in the Advanced Settings column, click Monitors and on the Monitors Section, click on No Service Group to Monitor Binding.
- Click the arrow next to Click to select and Select your new RADIUS monitor. Click Select then click Bind.
To verify that RADUS monitoring is working correctly
- After Binding, verify that member is up by clicking on Service Group Members and click Monitor Details. It should say RADIUS response code 2 or 3 was received. Click OK then Done.
- From the Security Console add a new report, selecting the Authentication Activity template or use the real time authentication activity report (Reporting > Real-time Activity Monitors > Authentication Activity Monitor > Start Monitor). With either option there should be see successful login attempts from the RADIUS monitoring account